Re: [PATCH] namei: allow restricted O_CREAT of FIFOs and regular files

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Nov 15, 2018 at 12:05:49PM -0500, Sasha Levin wrote:
On Tue, Oct 23, 2018 at 08:37:39PM +0200, Loic wrote:
Hello,

Please picked up this patch for linux 4.9 and 4.14 (linux 4.4 needs a small modification).
Indeed, this code will be beneficial to the GNU/Linux distributions that use a longterm kernel.

Compiled/tested without problem.

Thank.

[ Upstream commit 30aba6656f61ed44cba445a3c0d38b296fa9e8f5 ]

From: Salvatore Mesoraca <s.mesoraca16@xxxxxxxxx>
Date: Thu, 23 Aug 2018 17:00:35 -0700
Subject: namei: allow restricted O_CREAT of FIFOs and regular files

Disallows open of FIFOs or regular files not owned by the user in world
writable sticky directories, unless the owner is the same as that of the
directory or the file is opened without the O_CREAT flag.  The purpose
is to make data spoofing attacks harder.  This protection can be turned
on and off separately for FIFOs and regular files via sysctl, just like
the symlinks/hardlinks protection.  This patch is based on Openwall's
"HARDEN_FIFO" feature by Solar Designer.

This is a brief list of old vulnerabilities that could have been prevented
by this feature, some of them even allow for privilege escalation:

CVE-2000-1134
CVE-2007-3852
CVE-2008-0525
CVE-2009-0416
CVE-2011-4834
CVE-2015-1838
CVE-2015-7442
CVE-2016-7489

This list is not meant to be complete.  It's difficult to track down all
vulnerabilities of this kind because they were often reported without any
mention of this particular attack vector.  In fact, before
hardlinks/symlinks restrictions, fifos/regular files weren't the favorite
vehicle to exploit them.

[s.mesoraca16@xxxxxxxxx: fix bug reported by Dan Carpenter]
Link: https://lkml.kernel.org/r/20180426081456.GA7060@mwanda
Link: http://lkml.kernel.org/r/1524829819-11275-1-git-send-email-s.mesoraca16@xxxxxxxxx
[keescook@xxxxxxxxxxxx: drop pr_warn_ratelimited() in favor of audit changes in the future]
[keescook@xxxxxxxxxxxx: adjust commit subjet]
Link: http://lkml.kernel.org/r/20180416175918.GA13494@beast
Signed-off-by: Salvatore Mesoraca <s.mesoraca16@xxxxxxxxx>
Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
Suggested-by: Solar Designer <solar@xxxxxxxxxxxx>
Suggested-by: Kees Cook <keescook@xxxxxxxxxxxx>
Cc: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
Cc: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
Signed-off-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>

Loic, could you please sign off on this one? You did so for the other
but not this.

Actually, you only Cc'ed yourself on the other one, you'd need to sign
off on both of them. It's fine doing it as a reply for each commit, no
need to respin the patch.

--
Thanks,
Sasha



[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux